IP address of spam/FW-1
Desai, Jason
jase at SENSIS.COM
Tue May 20 15:43:57 IST 2003
Yes, SA allows you to decide which RBLs to use. You can put these
preferences in your spam.assasin.prefs.conf file. Check out
http://www.spamassassin.org/doc/Mail_SpamAssassin_Conf.html. Toward the
bottom of the page, search for RCVD. There you can see how to add another
RBL that SA may not use.
Jason
> -----Original Message-----
> From: Avi Levin [mailto:avi at CAXTONRVH.COM]
> Sent: Tuesday, May 20, 2003 8:59 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: [MAILSCANNER] IP address of spam/FW-1
>
>
> Thanks, Jason. I had turned off RBL checks in SA, figuring
> that MailScanner
> would do it, and have many more options/lists. But I'll see
> how it goes
> with SA. Have you found SA to allow you to decide which RBLs
> to use (I
> haven't looked into it much yet)?
> I think the IP address is harder to spoof, since the first
> hop for a spammer
> is frequently legit, and needs to see a valid source IP. But
> I suppose
> someone could hack their mailer. Still, although much of the
> spam I get has
> a spoofed sender domain name, the IP address seems to always
> be accurate,
> and a way to track the source.
>
> Thanks again for the tip.
> ---Avi---
>
> > > -----Original Message-----
> > > From: Desai, Jason [mailto:jase at sensis.com]
> > > Sent: Thursday, May 15, 2003 1:03 PM
> > > To: MAILSCANNER at jiscmail.ac.uk
> > > Subject: Re: IP address of spam
> > >
> > >
> > > This is one reason to let SpamAssassin do the RBL checks
> instead of
> > > MailScanner. I believe that SpamAssassin will check all of
> > > the Received
> > > header.
> > >
> > > Also, I would think that the Received header that immediately
> > > precedes the
> > > Message-Id and From headers could easily be spoofed by a
> > > spammer, so you
> > > really can't trust it.
> > >
> > > Jason
> > >
> > > > -----Original Message-----
> > > > From: Avi Levin [mailto:avi at CAXTONRVH.COM]
> > > > Sent: Thursday, May 15, 2003 12:45 PM
> > > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > > Subject: [MAILSCANNER] IP address of spam
> > > >
> > > >
> > > > The IP address identified by Mailscanner (4.14-9) in the log
> > > > seems to be the
> > > > last host that handed off the message to my SMTP server. In
> > > > other words,
> > > > the first "Received:" line in the envelope of each message.
> > > >
> > > > The problem I'm seeing with this, is that if I use
> > > > Checkpoint's FW-1 SMTP
> > > > proxy, or any other internal scanners, then MailScanner's
> > > reported IP
> > > > address is no longer that of the actual sender.
> > > >
> > > > Shouldn't the sender's IP address be the one that's
> > > identified on the
> > > > "Received: " header that immediately preceeds the
> > > > "Message-ID:" and "From:"
> > > > lines?
> > > >
> > > > And finally, which address is used for RBL and other
> list checks?
> > > >
> > > > Please let me know if you've got any insights into this.
> > > >
> > > > Thanks.
> > > > ---Avi---
> > > >
> > >
> >
>
More information about the MailScanner
mailing list